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Abstract. The authors' ATR programming formalism is a version of call-by-value PCF under a 
complexity-theoretically motivated type system. ATR programs run in type-2 polynomial-time and 
all standard type-2 basic feasible functionals are ATR-definable (ATR types are confined to levels 0, 
1, and 2). A limitation of the original version of ATR is that the only directly expressible recursions 
are tail-recursions. Here we extend ATR so that a broad range of affine recursions are directly 
expressible. In particular, the revised ATR can fairly naturally express the classic insertion- and 
selection-sort algorithms, thus overcoming a sticking point of most prior implicit-complexity-based 
formalisms. The paper's main work is in extending and simplifying the original time-complexity 
semantics for ATR to develop a set of tools for extracting and solving the higher-type recurrences 
arising from feasible affine recursions. 

1. TWO ALGORITHMS IN SEARCH OF A TYPE-SYSTEM 

As Hofmann [9] has noted, a problem with implicit characterizations of complexity classes is 
that they often fail to capture many natural algorithms — usually because the complexity-theoretic 
types used to control primitive recursion impose draconian restrictions on programming. Here is an 
example. In Bellantoni and Cook's 0] and Leivant's well-known characterizations of the poly- 
nomial-time computable functions, a recursively-computed value is prohibited from driving another 
recursion. But, for instance, the recursion clause of insertion-sort has the form ins_sort(cons(a, I)) = 
insert(a, ins_sort(/)), where insert is defined by recursion on its second argument; selection-sort 
presents analogous problems. 

Hofmann [9j, [8[] addresses this problem by noting that the output of a non-size-increasing pro- 
gram (such as ins_sort) should be permitted to drive another recursion, as it cannot cause the sort 
of complexity blow-up the B-C-L restrictions guard against. To incorporate such recursions, Hof- 
mann defines a higher-order language with typical first-order types and a special type through 
which functions defined recursively must "pay" for any use of size-increasing constructors, in effect 
guaranteeing that there is no size increase. Through this scheme Hofmann is able to implement 
many natural algorithms while still ensuring that any typable program is non-size-increasing poly- 
nomial-time computable (Aehlig and Schwichtenberg [li] sketch an extension that captures all of 
polynomial-time) . 

Our earlier paper 0,0], hereafter referred to as ATS, takes a different approach to constructing a 
usable programming language with guaranteed resource usage. We introduce a type-2 programming 
formalism called ATR (for Affine Tail Recursion, which we rechristen in this paper as Affine Tiered 
Recursion) based on PCF. ATR's type system is motivated by the tiering and safe/normal notions 
of [lH and 0] and serves to control the size of objects. Instead of restricting to primitive recursion, 
ATR has an operator for recursive definitions; affine types and explicit clocking on the operator 
serve to control time. We give a denotational semantics to ATR types and terms in which the 
size restrictions play a key part. This allows us, for example, to give an ATR definition of a 
primitive-recursion-on-notation combinator (with appropriate types and without explicit bounding 
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V I K | O | (XV.s) | (si) 

| (c a s) I (d s) | (t a s) | (if s then io else t\) | (down si) | (crec K(X r f.t)) 



Figure 1. ATR expressions. V is a set of variable symbols and O a set of oracle symbols, 
terms) that preserves feasibility. We also give a time- complexity semantics and use it to prove that 



2) of Mehlhorn [12| and Cook and Urquhart [J] are ATR definable. Moreover, our underlying model 
of computation (and complexity) is just a standard abstract machine that implements call-by- value 
PCF. However, ATR is still somewhat limited as its only base type is binary words and the only 
recursions allowed are tail-recursions. 

What is new in this paper. In this paper we extend ATR to encompass a broad class of feasible 
afflne recursions. We demonstrate these extensions by giving fairly direct and natural versions of 
insertion- and selection-sorts on lists. As additional evidence of ATR's support for programming 
we do not add lists as a base type, but instead show how to implement them over ATR's base type 
of binary words. 

The technical core of this paper is a simplification and generalization of the time-complexity 
semantics of ATS. We construct a straightforward framework in which recursion schemes in ATR 
lead to time-complexity recurrences that must be solved to show that these schemes preserve 
feasibility. This gives a route to follow when adding new forms of recursion to ATR. We follow 
this route to show that the recursions used to implement lists and insertion-sort are (second-order) 
polynomial-time bounded. We also discuss how to extend these results to handle the recursions 
present in selection-sort. Thus along with significantly extending our existing system to the point 
where many standard algorithms can be naturally expressed, we also provide a set of basic tools 
for further extensions. 



The ATR formalism. An ATR base type has the form N^, where labels L are elements of the set 
(□0)* U O(DO)* (our use of is not directly related to Hofmann's). The labels are ordered by 
£ < < DO < < •■ We define a subtype relation on the base types by <: N// if 

L < V and extend it to function types in the standard way. Roughly, we can think of type-N £ 
values as basic string inputs, type-N<) values as the result of polynomial-time computations over N e - 
values, type- N no-values as the result applying an oracle (a type-1 input) to N^-values, type-N^^ 
values as the result of polynomial-time computations over N^-values, etc. is called an oracular 
(respectively, computational) type when L G (□<>)* (respectively, <0(DO)*)- We let b (possibly 
decorated) range over base types. Function types are formed as usual from the base types. 

The base datatype is K = {0, 1}*, and the ATR terms are defined in Figured! The term forming 
operations correspond to adding and deleting a left-most bit (co, cj, and d), testing whether a word 
begins with a or a 1 (to and ti), and a conditional. The intended interpretation of down st is s 
if \s\ < \t\ and e otherwise. The recursion operator is crec, standing for clocked recursion. 

The typing rules are given in Figure [2J Type contexts are split (after Barber and Plotkin's 
DILL [2j) into intuitionistic and affine zones. Variables in the former correspond to the usual — ► 

1 These kinds of results may also have applications in the type of static analysis for time-complexity that Fred- 
eriksen and Jones Q investigate. 
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r;Ah(Ai)i):ff^r T; A h (st) : r 

Figure 2. ATR typing. The changes from ATS are as follows: (1) ATS imposed no 
constraint on bo in (crec-I); (2) ATS restricted (crec-I) to tail-recursion; and (3) ATS 
restricted (d-I) and (t a -I) to computational types. 

introduction and elimination rules and variables in the latter are intended to be recursively defined; 
variables that occur in the affine zone are said to occur affinely in the term. The crec-I rule serves 
as both introduction and elimination rule for the implicit — o types (in the rule b = fc>i, . . . , bk and 
v : b stands for v\ : b\, . . . , Vk '■ bfc). We use A r as the abstraction operator for variables introduced 
from the affine zone of the type context to further distinguish them from "ordinary" variables. The 
side-conditions on crec-I are that / occurs in cons-tail positior0 in t and if b, <: bi then bj is 
oracular (including i = 0). The constraint on the types allows us to prove a polynomial size-bound 
on the growth of the arguments to /, which in turn allows us to prove such bounds on all terms. The 
typing rules enforce a "one-use" restriction on affine variables by disallowing their occurrence as a 
free variable in both arguments of down, the argument of an application, the test of a conditional, 
or anywhere in a crec-term. 

The intuition behind the shifts-to relation oc between types is as follows. Suppose / : N £ — > N<). 
We think of / as being a function that does some polynomial-time computation to its input. If 
we have an input x of type Nqj then recalling the intuition behind the base types, we should 
be able to assign the type N^qq to fix). The shifts-to relation allows us to shift input types 
in this way, with a corresponding shift in output type. As a concrete example, the judgment 
/ : N £ — > N<), x : N e ; h f(fx) : N^qq is derivable using Subsumption to coerce the type of f(x) to 
NrjQ and Shift to shift the type of the outer application of /. The definition of oc must take into 
account multiple arguments and level-2 types and hence is somewhat involved. Since we do not 
need it for the typings in this paper, we direct the reader to ATS for the full definition. 



2 Informally, / occurs in cons-tail position in t if in the parse-tree of t a path from the root to a complete application 
of / passes through only conditional branches (not tests), Co, Ci, and the left-argument of down; tail_len(f, t) is defined 
to be the maximum number of c a operations not below any down node in any such path. 
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Motivated by the approach of Jones [lOj], we define the cost of evaluation to be the size of a 
call-by-value evaluation derivation. This is essentially equivalent to the abstract machine-based 
cost model of ATS, but the derivation-based model helps avoid considerable bookkeeping clutter. 
Values are string constants, oracles, or abstractions. Environments map term variables to values or 
to closures over crec terms. A closure tp consists of a term t and an environment p. The evaluation 
relation has the form tp J, z9 where tp and z9 are closures and z is a value. The derivation rules for 
the evaluation are mostly straightforward and mimic the action of the abstract machine of ATS; 
for example, we have 

p{x) | z0 tp j (0z)9 spjwC, tp\z9 H<\z\ 
xp [ z9 (d t)p I z9 (down st)p [ w( 

The evaluation rule for crec terms is 

(crec a(X r f.Xv.t))p J, (Aw.if \a\ < \vi\ then t else e)p[f crec(Oa)(X r f.Xv.t)] 
which shows how unwinding the recursion increments the clock by one step. The cost of most infer- 
ence rules is 1, except the down st inference rules have cost 2\z\ + 1 where tp J. z9 and environment 
and oracle evaluation have length-cost (so, e.g., the cost of the environment rule shown above is 
max(|z|, 1) when z is of base type, 1 otherwise). 

Implementing lists and sorting. We implement lists of binary words via concatenated self-delimiting 
strings. Specifically, we code the word w = bo . . . b^-x as s(w) = lb^lbi . . . Ibk-i0 and the list 
(u>o, . . . ,Wk-i) as s(wq) © • • • © s(wk-i), where © is the concatenation operation. Code for the 
basic list operations is given in Figure [3p| Note that the cons, head, and tail programs all use 
cons-tail recursion. Insertion-sort is expressed in essentially its standard form, as in Figure [H 
This implementation requires another form of recursion, in which the complete application of the 
recursively-defined function appears in an argument to some operator. In the later part of Section [3] 
we show how this recursion in an argument can be incorporated into ATR. Selection-sort requires 
yet another form of recursion (a generalization of cons-tail recursion); we discuss how to incorporate 
it into ATR in Section [H 

Our head and ins_sort programs use the down operator to coerce the type to N £ . Roughly, 
down is used in places where our type-system is not clever enough to prove that the result of a 
recursion is of size no larger than one of the recursion's initial arguments; the burden of supplying 
these proofs is shifted off to the correctness argument for the recursion. A cleverer type system 
(say, along the lines of Hofmann's [§]) could obviate many of these down's, but at the price of 
more complex syntax (i.e., typing), semantics (of values and of time-complexities), and, perhaps, 
pragmatics (i.e., programming). Our use of down gives us a more primitive (and intensional) system 
than found in pure implicit complexity^ but it also gives us a less cluttered setting to work out the 
basics of complexity-theoretic compositional semantics — the focus of the rest of the paper. Also, 
in practice the proofs that the uses of down forces into the correctness argument are for the most 
part obvious, and thus not a large burden on the programmer. 

3. Soundness theorems 

In this section we rework the Soundness Theorem of ATS to set up the framework for such 
theorems, and then use the framework to handle the recursions used to implement insertion-sort 
(we discuss selection-sort in Section [4]). Because of space considerations, we just sketch the main 

In these code samples, letrec f=s in t end abbreviates t[/ i— > crec e(A, /.s)] and we use the ML notation 
fn x . . . for A-abstraction. 

4 Leivant's recursion under a high-tier bound 11, §3.1] implements a similar idea. 
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val nil = e : N e 

val cons : N e — > N<> — > N<> = 

fn a; ( letrec enc : N £ — > N<> — > N<> = 

fn b x => if a; then if tO(a;) then cl(cO(enc b (d a;))) 
else cl(cl(enc 6 (d a;))) 

else cO(Z) 
in enc w w end 

val head : N e -> N e = 

fn Z => letrec dec : N e — *■ N^, — *■ N<> = 
fn & a; =>- if tl(a;) then 

if tO(d x) then cO(rfec b (d(d(a;)))) else cl(dec b (d(d(a;)))) 
else s 

in down (dec I Z)( Z) end 

val tail : N e N e = 

fn Z => letrec iaiZ' : N £ -> N £ -> N £ = 

fn & a; =>• if tl(ar) then ioii ' 6 d(d(a;)) else d(x) 
in taiZ ' I I end 



Figure 3. The basic list operations in ATR. 

val insert : N £ — > N £ — > N<> = 

fn w / => letrec ins : N £ — > N £ — > N<> = 
fn & Z' if Z' then 

if Zeg w head(V) then cons w Z' 
else cons (head Z') (ins 6 ( taiZ Z')) 
else coks w nil 

in ins Z Z end 

val ins-sort : N e — > IM<j = 

fn Z letrec isort : N e -> N £ -> N<> = 

fn 6 Z' = if Z' then insert (head Z') (down (isort & ( faiZ /')) Z') else e 
in isort Z Z end 



Figure 4. Insertion-sort in ATR. 

points here and leave detailed proofs to the full paper. The key technical notion is that of bounding 
a closure tp by a time- complexity, which provides upper bounds on the cost of evaluating tp to a 
value zO as well as the potential cost of using z9. The potential of a base-type closure is just its 
(denotation's) length, whereas the potential of a function / is a function that maps potentials p to 
the time complexity of evaluating / on arguments of potential p. The bounding relation gives a 
time- complexity semantics for ATR-terms; a soundness theorem asserts the existence of a bounding 
time-complexity for every ATR term. In this paper, our soundness theorems also assert that the 
bounding time-complexities are safe, which in particular implies type-2 polynomial size and cost 
bounds for the closure. We thereby encapsulate the Soundness, polynomial-size-boundedness, and 
polynomial-time-boundedness theorems of ATS (the value semantics for the meaning of ATR terms 
and corresponding soundness theorem are unchanged). 
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Sh£:T e ShO":T E, x : 7 h x : 7 

E h p : 7 



Ehp:7 

— r (7 oc 7') 



E h p : i 



E h p : T 0ft E h g : T 0fc 



E h p : 7 
E h p : 7 



r (7 <: i) 

E h g : 7 



E h p • q : T<> fc 
E, x : o" h p : r 
E h Ax.p : cr — > t 



E h p V g : 7 
E h p : cr — > r Ehg:tr 
E h pg : r 



Figure 5. Typing rules for time-complexity polynomials. • is + or *, 7 is a t.c. 
base type. 



Soundness for tail-recursion. We start by denning cost, potential, and time- complexity types, all 
of which are elements of the simple product type structure over the time- complexity base types 
{T} U {T^ I L is a label} (we sometimes conflate the syntactic types with their intended meaning, 
which is the standard set-theoretic semantics when all base types are interpreted as unary numerals). 
The subtype relation on base types is defined by T l <: T// if L < L' and T l <: T for all L, and 
extended to product and function types in the standard way. The only cost type is T, and for 
each ATR-type a we define the potential type ((cr)) and time-complexity type ||cr|| by ((N^)) = T^, 
((cr — > r)) = {(a)) — > ||t||, and ||r|| = T x ((r)). Write cost(-) and pot(-) for the left- and right- 
projections on ||r||. We introduce time- complexity variables, a new syntactic category, and define 
a time-complexity context to be a finite map from t.c. variables to cost and potential types. For 
a t.c. context E, E-Env is the set of E environments, defined in the usual way. We extend || • || 
to ATR-type contexts by introducing t.c. variables x c and x p for each ATR-variable x and setting 
l|r|| = U( a . :(T ) gr {x c :T, x p : ((cr))}. A time- complexity denotation of t.c. type 7 w.r.t. a t.c. environment 
E is a function X : E-Env — > 7. The projections cost and pot extend to t.c. denotations in the 
obvious way. 
Definition 1. 

(1) Suppose tp is a closure and z6 a value, both of type r; x a time-complexity of type ||r||; and 
q a potential of type ((t)). Define the bounding relations tp Q T x and z9 Qp 0t q as followsH 

(a) tp Q T x if cost(tp) < cost(x) and if tp [ zO, then z9 Qp Qt pot(x). 

(b) zO cb Qt q if \ z \ < q . 

(c) (Xv.t)6 Ep^* T q if for all values zr], if zrj Cp 0t p, then t9[v 1— > ^ry] C r cy(p). 

(d) Ep^t T 9 if for all values zn, if zrj Cp Dt p, then (0(z?7))[] C T c/(p). 

(2) For /> £ T-Env and G ||r||-Env, we write p C g if for all u G Dom /? we have that 
vp E (^(^c),^)). 

(3) For an ATR-term T; A h t :r and a time-complexity denotation X of type ||r|| w.r.t. \\T; A||, 
we say t C X if for all p £ (T; A)-Env and 6 A||-Env such that p Q g we have that 

We define second-order polynomial expressions of tally, potential, and time-complexity types 
using the operations +, *, and V (binary maximum); the typing rules are given in Figure [5j Of 
course, a polynomial E h p : 7 corresponds to a t.c. denotation of type 7 w.r.t. E in the obvious 
way. We shall frequently write p p for pot(p). 



'We will drop the superscript when it is clear from context. 
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Definition 2. Let 7 be a potential type, b a time-complexity base type, p a potential polynomial, 
and suppose £ h p : 7. 

(1) p is b-strict w.r.t. £ when tail(j) <: b and every unshadowed^ free-variable occurrence in p 
has a type with tail <: b. 

(2) p is b-chary w.r.t. £ when 7 = b and p = p% V • • • V p m with m > where = [vq\ . . . q^) 
with each qi b-strict. 

(3) p is b-safe w.r.t. £ if: 

(a) 7 is a base type and p = g 0b r where g is b-strict and r is b-chary, 0b = V if b is 
oracular, and 0b = + if b is computational. 

(b) 7 = a — > (T x t) and pot(pv) is b-safe w.r.t. £, « : cr. 

(4) A t.c. polynomial E h g : T x 7 is b-safe if pot(q) is. 

(5) A t.c. denotation X of type 7 w.r.t. £ is b-safe if X is bounded by a b-safe t.c. polynomial 
£ h p : 7. 

The Soundness Theorem of ^T,? asserts that every tail-recursive term is bounded by a t.c. 
denotation for which the cost component is bounded by a type-2 polynomial in the lengths of £'s 
free variables. In the next subsection, we extend this to cons-tail recursion and prove that the 
bounding t.c. denotation is in fact safe. In particular, we also have that the potential of i's 
denotation is bounded by a safe polynomial. At base type, this latter statement corresponds to the 
"poly-max" bounds that can be computed for Bellantoni-Cook and Leivant-style tiered functions 
(e.g., [3, Lemma 4.1]). 

Soundness for cons-tail-recursion. For the remainder of this subsection t is a term such that / is in 
cons-tail position in t and for which we have a typing r, v : b; / : b — > b h t : b. We write for for the 
type context T,v:b. Define the terms Ci = crec(O i a)(X r f.Xv.t) and Ti = if |0^a| < \v\\ then t else e 
(we write O^a for . . . Oa with £ O's, remembering that this is a string constant), and for any 
environment p, set pe = p[f 1— > Ce]- The main difficulty in proving soundness is constructing 
a bounding t.c. denotation for crec terms. A key component in the construction is the Affine 
Decomposition Theorem in Section 14 of ATS, which describes how to compute the time-complexity 
of a term in which / occurs affinely and in tail position. To state it, we need some definitions. 

Definition 3. Let X and Y be t.c. denotations of type — > t\\ and ||cr||, respectively. 

(1) For a potential p : Tl, valp = (1 V p,p); if p is of higher type, then valp = (l,p). For a t.c. 
environment g and ATR variable v we write g[v *— > x] f° r q[ v c,v p 1— > cost(x),pot(x)]- 

(2) If Y is w.r.t. \\T,v : a'\\, then A±v.Y =df Xg(l, Xv p .Y(g[v 1— > valv p })) is a t.c. denotation of 
type \\a' — > <t|| w.r.t. ||r|j (we use Ax. • • • to denote the map x 1— > • • • ). 

(3) X*y =df Af)(cos£(X£) + costiY g) + cost{x) + l,pot(x)) i s a t- c - denotation of type ||r||, 
where x = pot(X g){pot(Y g)) (we write Xg. ... for g 1— > . . .). 

(4) dally (£,X) = Xg(£+cost(Xg),pot(Xg)) and for ||cr|| = TxT L , pad(£,Y) = Xg(cost(Y g), 1+ 
pot{Yg)). 

(5) For ||<t|| = T x Tf, and Z also a t.c. denotation of type (Z W y)^ = (cost(Zg) + 
cost(Yg),pot(Zg) V pot(Y g)). 

Theorem 1 (Decomposition Theorem). Suppose t Q X and Yi is such that if ft% . . . is a complete 
application of f in t, then ti C Y^. Then 

t C Xg (Xg £ ttl pad (tail Jen(f, t), gf * Y\g £ * ■ ■ ■ * Y^)) 



Roughly, a free-variable occurrence is shadowed if it is in a subterm that does not contribute to the size of the 
term; see ATS for details. 
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where g £ = g[f i— > A*#-(1,0)] and tailJen(f,t) is defined in Footnote^ 

Intuitively, the cost of "getting to" the recursive call is covered by Xg £ , and the cost of the 
call itself by gf * Y\g £ * • • • ★ Y\~g £ , taking into account any c a operations after the call (this is an 
over-estimate if no recursive call is made). The potential (size in this case, since t is of base type) 
is either independent of any complete application of / or is equal to the size of such an application, 
again taking into account later c a operations. 

Definition 4. A decomposition function for t is a function d(g^ r ^~ Env , x" 7 ") : ||b|| such that t C 
Xg.d(g £ , gf) (recall that / is the affinely-restricted variable in t). 

Recalling the evaluation rule for crec and the definition of C, we see that we must understand 
how the closure To/°i is evaluated for appropriate p. It is easy to see that in such an evaluation, 
the only sub-evaluations of closures over terms of the form T m are evaluations of closures of the 
form T m p m+ i[v i— > zO] for some closures z${. For the closure T§p\ we say that the clock is bounded 
by K if in every such sub-evaluation we have that \z\ \ < K. 

For a decomposition function d define &d,K( n ) '■ ||rV||-Env — ► ||b|| by 

$djc(0) = \Q.(2K + l,0) 
®d,K{n + l) = Xg. dally (2K + 1, d(g £ , dally(2,{A*v.<S> diK (n))g)) V (l,0)) 
We will use <&d,K to bound Ti. 

Theorem 2 (Recomposition Lemma). Suppose d is a decomposition function for t, p £ T^-Env, 
g G ||r^||-Env, p C g, and. that in the evaluation of T$p\ the clock is bounded by K. Then 
Tqpi C $ d>K (K - \a\)(g[vi i-> val(gv ip )}). 

The Recomposition Lemma tells us that x(n) gives us a bound on the time-complexity of our 
recursion scheme. What we must do now is to "solve" the recurrence used to define $ and show 
that it is polynomially-bounded. 

Theorem 3 (Bounding Lemma). Suppose that in Theorem [I] we can assume that X and each Yi 
are bounded by t.c. polynomials p and pi, respectively. Assume further that p is ((b)) -safe and pi is 
((bj))-safe w.r.t. \\T^\\. Then there is a ((b)) -safe polynomial \\T^\\, K : ((bi)),n : ((bi)) h <p(K, n) : ||b|| 
such that for all K and n, ^d,K{ n ) 5- ^(Kjn). 

Proof. Let d be the decomposition function for t given in Theorem [TJ Using the definition of d we 
can find a ((b))-safe polynomial ||r^||,iiL : ((bi)) h (Pq(K), P\) : ||b|| and a recursive upper bound 
on ® d ,K{n)g: 

$d,K(Q)Q< (2^+1,0) 
$d,K(n+l)Q < (P (K),Px)g\S pad(£,<f> djK (n)g[vi ^ val( Pip g)}) 

where £ = tailJen(f,t). An easy proof by induction shows that ^d,K( n ) < ( n Po(K)£, n ~ 1 + 2if + 
1, n£ + P\^ n ~ l ) for n > 1, where £° = id and (t>j c , Vi p )^ n+1 = val(pi p ^ n ). Since I ^ implies bi <: b, 
n£ + Pi^ ra_1 is bounded by a ((b))-safe polynomial provided that Pi^ n_1 is ((b))-safe. Since Pi is 
((b))-safe and type-correct substitution of safe polynomials into a safe polynomial yields a safe 
polynomial (shown in Section 8 of ATS), to prove the theorem it suffices to show that Pi p £ n is a 
((b,;))-safe polynomial for each i. The proof of this is essentially the proofs of the One-step and 
n-step lemmas of Section 10 in ATS (it is here that we use the remaining constraints on the types 
in the crec typing rule). □ 
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Proposition 4 (Termination Lemma). Assume the hypotheses of Theorem\3\hold and that p C g. 
Then in the evaluation ofT^pi the clock is bounded by pi p £} g, where £ is defined as in the proof 
of Theorem [3l 

Proof. This follows from the details of the proof of Theorem [3J □ 

Theorem 5 (Soundness Theorem). For every ATR term T;A h t :r there is a toiZ(||r||)-safe t.c. 
denotation X of type \\t\\ w.r.t. ||T; A|| such that fCI. 

Proof. The proof is by induction on terms; for non-crec terms it is essentially as in ATS. For 
T;_ h crec a(X r f .Xv.t) : b — > b, suppose p G T-Env, £ G ||r||-Env, p Q g. Use the Bounding, Termi- 
nation and Recomposition Lemmas to show that (Xv.Tq)p\ C (A*'U.(^(pip£ 1 ,pip£ 1 — |a|))^, where 
pi, if, and £ n are as in the proof of the Bounding Lemma. We conclude that crec a (X r f.Xv.t) C 
dally(l, X i ,v.ip(pi p ^ 1 ,pi p ^ — \a\)). Since this last time-complexity is a ((b))-safe polynomial, the 
claim is proved. □ 

Corollary 6. If _;_ h t :r, then t is computable in type-2 polynomial time. 

Soundness for recursion in an argument. We now address the recursions used in insertion-sort, in 
which the recursive use of the function occurs inside an argument to a previously-dehned function. 
What we are really after here is structural (primitive) recursion for defined datatypes (such as our 
defined lists). First we adapt our — >-E rule to allow affine variables to appear in arguments to 
applications. We still require some restrictions in order to ensure a one-use property; the following 
is more than sufficient for our needs: 

T;A r- s:a^T T; A t h t : a 
r; A U Ai h st : r 

where at most one of Ao and Ai are non-empty, and if level a > 0, then Ai = 0. Thus an affine 
variable / may only occur in t if t is of base type, and may not occur simultaneously in s and t. 
In particular, it is safe for /3-reduction to copy a completed /-computation, but not an incomplete 
one. To simplify notation for the recursion present in insertion-sort we consider the special case in 
which we allow typings of the form (*) provided t = if s' then s(fi) else s" where / is not free in s' 
or s" (we treat the general case in the full paper). 

First we must hnd a decomposition function. Assuming that s C X s , t C Xt, and tj C 1$, we 
can take as our decomposition function 

d(g, X) = X-tQ ttl (cost [X s g) + cost(x * Xg) + cost (pot (X s g) (pot (x * -X"f?))) , 

pot (pot (X s g) (pot ( X * Xg))) ) 

where we have written x * Xg for x * XiQ * • • • * X^g. Assume the inductively-given bounding 
t.c. denotations are bounded by safe polynomials p s , pt, and Pi,. • • ,Pk- The Soundness Theorem 
follows from the Recomposition Lemma provided we have a polynomial bound on ^d,K( n )^ s ° now 
we establish such a bound. 

When b is oracular, then since p sp (= pot(p s )) is ((b))-safe, we have that Psp — 
(r s V z)) where q s is ((b))-strict and r s is ((b))-chary and does not contain z. We can therefore find a 
((b))-safe t.c. polynomial (Pq(K, z" b "), P\) and derive the following recursive bound on §d,K using 
the same conventions as in our analysis of cons-tail recursion: 

*d,K(0)Q<{2K + l,0) 

^dM n + l )Q=( P o(K,pot(^ d)K (n)g')),P 1 )^^ d ^ K (n)g' 
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where g' = g[vi i— > val(pi P g)]. It is an easy induction to show that for n > 1 $d,K( n ) < {{ n • 
Po(^ ; -Pi) + 2.K" + l)£ n_1 , Pi£ n_1 ) and thus the Bounding and Termination Lemmas that must be 
proved are exactly those of before. 

When b is computational a similar calculation yields the bounding polynomial ((n ■ Pq((u — 2)q s + 
Pi) + 2 Plp )C~\ (n - l)^^" 2 + PxC 1 ) for a ((b))-strict polynomial q s . 

4. Concluding remarks 

In ATS we introduced the formalism ATR which captures the basic feasible functionals at type- 
level < 2. We have extended the formalism with recursion schemes that allow for more natural 
programming and demonstrated the new formalism by implementing lists of binary strings and 
insertion-sort and showing that the new recursion schemes do not take us out of the realm of 
feasibility. We have also given a strategy for proving that particular forms of recursion can be 
"safely" added to the base system. Here we indicate some future directions: 

More general affine recursions. In the full paper we give a definition of plain affine recursion that 
generalizes cons-tail recursion, allows recursive calls in arguments, and permits recursive calls in 
the body of let-expressions. In particular, it covers all forms of recursion used in the list operations 
and insertion- and selection-sort (code for the latter is in Figure [6]) . At the time of writing, we do 
not have all the details of the soundness argument in the general case, but we expect it to follow 
the framework we have developed here. 

Lazy ATR. A version of ATR with lazy constructors (streams) and evaluation would be very inter- 
esting. There are many technical challenges in analyzing such a system but again we expect that 
the general outline will be the approach we have used in this paper. Of course one can implement 
streams in the current call-by- value setting in standard ways (raising the type-level), but a direct 
lazy implementation of streams is likely to be more informative. We expect the analysis of such a 
lazy- ATR to require an extensive reworking of the various semantic models we have discussed here 
and in ATS. 

Real-number algorithms. ATR is a type-2 language, but here we have focused on type-1 algo- 
rithms. We are working on implementing real-number algorithms, viewing a real number as a 
type-1 (stream) oracle. This can be done in either a call-by- value setting (e.g., algorithms that take 
a string of length n as input and return something like an n-bit approximation of the result) or a 
lazy setting (in which the algorithm returns bits of the result on demand). 
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Appendix A. Typing rules and evaluation 

Recall that labels L are elements of (□<>)* U <>(□<>)*• We define Do = e, Od = <>□<*, and 
□d+i = DOd- We give the ATR expressions and typing rules in Figures [T1 and [21 A For convenience, 
we view oracle symbols as different syntactic objects than (type-level- 1) variables; essentially they 
are variables with a fixed meaning and that cannot be abstracted. 

We define the evaluation relation in Figure [7J This relates closures to values, defined simultane- 
ously as follows: 

(1) A closure tp consists of a term and an environment such that every free variable of t is in 
the domain of p and for every x in the domain of p, p(x) is a closure. 

(2) A value z6 is a closure in which z is either a string constant, oracle, or abstraction. 

(3) An extended value z6 is a closure that is either a value or for which z = crec a (X r f.Xv.t) 
for some string constant a, variables / and v, and term t. 

(4) An environment is a finite map from term variables to extended values. 

Recalling that oracles range over type-1 functions and that the only type-0 values are string con- 
stants, the evaluation rules On and Oi says to treat multiple-argument oracles as though they are 
in curried form, returning the curried oracle result until all arguments have been provided. The 
cost of each rule is 1 with the following exceptions: 

(1) The cost of (Env) is 1 V \z\ if z is a string constant and 1 otherwise; 

(2) The cost of (down;) is 2\K t \ + 1; 

(3) The cost of (On) is \K\ + 1 and the cost of (Oi) is 1. 

These costs reflect a length-cost model of accessing the environment or evaluating an oracle and an 
evaluation of \K S \ < \Kt\ by stripping off bits one- by-one from each of K s and Kf. 
The typing rules for t.c. polynomials are given in Figure 

Appendix B. Proofs of the main theorems 

In this section, we prove the Recomposition Lemma (Theorem [2|) . As a guide to the notation, 
environments p and g typically refer to and ||IV|| environments and environments p and g 
typically refer to T and |[r||-environments. 

First we formalize the notion of "hard-coding" an upper bound for the clock. Note that to 
evaluate crec a (X r f.Xv.t) applied to appropriate arguments, we really evaluate T$p\. Suppose we 
have a typing of the form (*) and consider the evaluation of T^pi + i where we assume that the crec 
clock-test does not terminate the recursion. The evaluation has the form: 

(O e a)p e+ i j (0 £ a)[] y m+1 j ■ ■ ■ 
(c (0M W I (O W «)0 (coM)p W I- v 
(down(co(0^))(c r;i)) / 9, +1 [ (0 £+1 a)[] t Pe+1 | •■■ 

where T> is the derivation 



In ATS, we restricted to tail-recursion and thus needed no constraint on bo in the (crec-I) rule; we have not seen 
any natural programs in which this constraint is violated. 
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z9 | z9 



(z9 a value) 



(crec a(X r f.Xv.t))p [ (Xv.tf \a\ < \v±\ then t else e)p[f i-> crec(Oa)(\ r f\v.t)] 

p(x) iz9 spi K6 



^jefl S p|(aK)0 sp[{aK)9 sp [ K9 {R + ^ ^ Rl) 



(6s)p[e9 (ds)p[K9 (t a s)pi09 (t a s)ple[] 
downo sp[K s 9 s tpjKtdt \K 8 \<\K t \ 

(down st)p i K S 9 S 
downi spjK s 9 s tp[K t 9 t \K s \>\K t \ 
(down st)p I e[] 
sp i (aK)9 t p I z9 sp i e9 tip [ z 



(if s then to else t\)p [ z9 (if s then t else J. z9 

sp i (Xx.s')9' tp | z9 s'9'[x ^ z9] j vr] 



O 
Oi 



(St)p i V7] 

sp I Q9' tp j z9 qijzp) = K 

(st)p i K[] 
sp j 09' tp | z9 0{{z\9) = O' 

(st)p I O'W 



Figure 7. ATR evaluation. In the Oi rules, \z\9 is the denotation of z under 
environment 9, defined in the obvious way; note that for a well-typed term, z will 
be of base type, hence a constant, so 9 is irrelevant. 



She:T £ ShO n :T Z,x:jhx:j 
— (7«7) r(7<:7) 



S hp:7 Shp:7 
£ h p : T 0fc Shg:T 0t £ h p : 7 Shg: 7 



£ h p • g : To fe ShpVg:7 
£,x:<7l-p:T Shp:a->T £ h q : a 



£ h Ax.p : (T — > t S h : r 

Figure 8. Typing rules for time-complexity polynomials. • is + or *, 7 is a t.c. 
base type, and 7 <: 7' is defined by Trj fc <: T<> fc <: Trj fc and Tj, <: T for all L. 



{Ce+i) P I (Af/.r^ + i)^ +2 

/W+l I {^V.T l+l ) Pt+ 2 



tkPe+i i z k 9 k (T e+1 )pi +2 [vi h-> gjgj] j 



*P£+1 I 
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provided that tpt+i actually makes a recursive call. Thus we see that all closures over some T m in 
the evaluation of T^pz+i have the form T m p m+ i[v i— > z&\. For a particular closure Tepe+i we say that 
the clock is bounded by K if in its evaluation, for every subevaluation of a closure T m p m+ i [v *— > z9] 
it is the case that \z\ \ < K. 

To prove the Recomposition Lemma, we embed the evaluation of a clocked recursion in which 
the clock is bounded into an evaluation in which the clock is fixed. To this end, introduce new term 
constructors rec^ with the following evaluation rule: 

(recx a(X r f.Xv.t))p j (Au.if \a\ < \0 K \ then t else e)p[f i— ► (recK(Oa)(X r f.Xv.t))} 

Set 

= rec K (tf a){X r f.Xv.t) T Kft = if \0 £ a\ < \0 K \ then t else e 
and for an environment p set = p[f l— * Ca"/]- 

Lemma 7. Suppose that whenever p G (r, - / : 7)-Env, g € ||r||-Env, and p f Dom T Q g, it is the 
case that (Xv.t)p E (A+v.X)g. If p G (T^j; f : 7)-Env, g G ||r#; / : 7||-Env, and p \ Dom C £, 
then tp C i— > ua£(fWj p )]). 

Definition 5. For as defined in Section El define &d,K(n) = X^v.^^k^). 
Definition 6. For a t.c. environment g defined on H^H, define g v = g[vi i— > waZ(gVi p )]. 

Lemma 8. Suppose r, i7 : b; / : b — ^ b I— t : b and that d is a decomposition function for t. 

(1) Suppose p G T-Env, g G ||r||-Env, and p E £>• Then (Xv.Tk/)pk,£+i E ^<i,k{K — |0^a|)^. 

(2) Suppose p G T^-Env, £ G [|r#||-Env, p E £• Then Tx/PK,t+i E ^d.A"^ — |0 a\)g v . 

Proof. The second part follows from the first by Lemma [7J so we just prove the first by in- 
duction on K — |0^a|. The base case is immediate. The induction hypothesis tells us that 
(Xv.T K/+1 )p K/+2 C $ d , K (K - \0 £ a\ - l)g. Set g(f) = dally(2,$ diK (K - \0 e a\ - l)g). Then since 
fpK,e+i evaluates to (Xv.Tx/+i)pK,e+2 i n two steps, we have that fp~K,e+i E dally(2,^ d x(K — 
\0 £ a\ — l)g) = g(f) and thus p~K,e+i E Q- Since d is a decomposition function for t, we have that 

(Xv.T Kt e)g Kti+1 = (\±v.Ag. dally(2K + 1, d(g e , gf) V (1, 0)))g 
= (1, \v lp (. . . (1, Xv kp . dally(2K + 1, 

d(g £ [ Vi i-» val(v ip )}, dally (2, $ d , K {K - \0 e a\ - 1)£))V 

(i,o)))...)) 

= (1, Xv lp (. . . (1, Av kp . dally(2K + 1, 
d(g e [vi h-> val(v ip )], 

dally(2, $ d , K (K - \0 l a\ - l)g[vi i-» val(v ip )]))\J 

(i,o)))...)) 

= (X±v.\g. dally(2K + 1, 

d(g e , dally(2, $ d)K (K - \0 e a\ - l)g)) V (1,0))) g 
= (A*v.<!> dtK (K - \0 e a\))g 
= $ d<K {K - \0 e a\)g. 

□ 



TIME-COMPLEXITY SEMANTICS FOR FEASIBLE AFFINE RECURSIONS 



15 



Theorem 9 (Theorem^ Recomposition Lemma). Assume the hypotheses of Lemma\S§2§ . Assume 
further that in the evaluation ofT^pi the clock is bounded by K. Then T$p\ C ^^ ^(K — \a\)g v . 

Proof Sketch. The hypotheses allow us to define a injective map F from the evaluation derivation 
of TqPi to the evaluation derivation of Tk,qPk,X such that: 

(1) F maps the root to the root; 

(2) F preserves the "child-of" relation; 

(3) The only differences between the closures at the node x and F{x) are: 

(a) C m is replaced with Ck,™,] 

(b) T m is replaced with Tj(,m'i 

(c) The evaluations of (down(co(O m a)(crj vi)))p' m +i are mapped to evaluations of 
(down(c (O m a)(c 0^)))^ +1 . 

Thus we have that the evaluation derivation of T$p\ is no larger than that of Tk,qPk,1 an d that 
TqPi [ z6 iff TxflPK,i I zO. Prom this we conclude that since (Tk,q)pk,i E &cI,k{K — \ a \)Q V we also 
have that (T ) Pl C §djc(K ~ W\)o v . □ 

Theorem 10 (Theorem [5j Soundness Theorem). If T; A h t : r is an ATR term, then there is a 
tail (\\t\\) -safe t.c. denotation X of type \\t\\ w.r.t. \\T;A\\ such that tCl, 

Proof. The proof is by induction on t. For everything but crec terms, it is mostly a pushing-through 
of the definition of C. Now suppose that T;_ h crec a (X r f.Xv.t) : b — > b, p £ T-Env, g G ||r||-Env, 
and that p jZ g. Noting that (crec a (X r f.Xv.t))p [ (Xv.To)p±, we wish to show that this latter term 
is bounded by (A*-u.</?(pi p £ ,Pi p t; — \a\,v))g where (p and £ are as in the proof of the Bounding 
Lemma. To do so, it suffices to show that if ZiOi Z pot qi, p\ = Pi[vi > ZiOi], and g* = g[vi t— » val(qi)], 
then TqpI !Z <p(p\ p £} ,pi p £} — \a\,v)g*. Since pi |Z £>*, from the Termination Lemma we have that 
the clock on T$p\ is bounded by Pip^g* ■ Thus by the Recomposition Lemma we have that 

T pl [Z ^ d>Plp ^^{Pip^Q* ~ \a\)(g*) V = ^ d;Plp ^g*(pi p ^g* - \a\)g* 

< vipip^iPipZ 1 ~ W\,v)g*. 

We conclude that (crec a (X r f.Xv.t))p C dally (1, X iK v.ip(pi p ^ 1 ,pi p ^ — \a\, v))g and hence that crec a(X r f.Xv.t) jZ 
dally(l, A^^Oip^jPxpC 1 - □ 

Appendix C. Plain affine recursion 

We generalize the recursion schemes we have discussed in this paper as follows: 

Definition 7. t is a p/ain affine recursive definition of f if@ 

(1) / £ fv(t); or 

(2) t = ft\ . . . tk where / ^ fv(ij) for any i; 

(3) t = if s then so else si where / ^ fv(s) and each Sj is a plain affine recursive definition of /; 
or 

(4) t = op s where op is any of c a , d, or t a and s is a plain affine recursive definition of /; or 

(5) t = down sosi where sq is a plain affine recursive definition of / and / ^ fv(si); or 

(6) t = st\ . . .tk where / ^ fv(s) and each ij is a plain affine recursive definition of /; or 

(7) t = (Xx.s)r where s is a plain affine recursive definition of / and / ^ fv(r). 



Clearly we are duplicating work that the affine type system does for us here; we have not yet fully investigated 
this situation. 
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We continue here to consider the special case of t = if s' then s(ft) else s" where / is not free in s' 
or s" . We have already established a decomposition function; all that remains to to set up and solve 
a recursive bound on $>d,K(n) when b is computational. In this case p sp = Xz^ .(p, q s + (r s V z)) 
where q s is ((b))-strict and r s is ((b))-chary and does not contain z. The recurrence to solve is 

^ dl A-(0)e< (2K + i,o) 

$dA n + l )Q < ( P o(K, pot{^ dtK (n)g')), Pi) W pad(q s , $ d ,K{ n )e') 

where g' = g[vi i— > val(pi p g)] and (Pq(K, z^), P±) is a ((b))-safe t.c. polynomial. The solution to 
this recurrence is given by 

*d,K(n) < ((n • P ((n - 2)q s + Pi) + 2K + l)^" 1 , (n - l)g s C~ 2 + Af 1 " 1 ) 

for n > 2, so the Bounding and Terminations Lemmas to be proved are those of before. Furthermore, 
since b is computational, b > bi and so we have that n^ bl ^q s is a b-strict polynomial, and hence 
n 9s? n 1 + Pi£ n is b-safe for each n. The rest of the Soundness Theorem follows. 
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